BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Monitoring Unix Logins
Pages: 1, 2

You can also tell the who command to read the /var/log/wtmp file instead of the default /var/run/utmp file:



who /var/log/wtmp

genisis     ttyv0   Feb  3 13:25
shutdown    ~       Feb  3 13:30
            ttyv0   Feb  3 13:30
reboot      ~       Feb  3 13:31
genisis     ttyv0   Feb  3 13:31
genisis     ttyv1   Feb  3 13:32
genisis     ttyv2   Feb  3 13:32
genisis     ttyp0   Feb  3 13:34   (biko)
genisis     ttyv3   Feb  3 13:46
genisis     ttyp1   Feb  3 15:04   (biko)
genisis     ttyv4   Feb  3 15:04
            ttyp0   Feb  3 15:31
genisis     ttyp0   Feb  3 15:56   (biko)
            ttyp0   Feb  3 16:00
genisis     ttyp0   Feb  3 16:00   (biko)
            ttyp0   Feb  3 16:23
genisis     ttyp0   Feb  3 16:23   (biko)
            ttyp0   Feb  3 16:23
genisis     ttyp0   Feb  3 16:23   (biko)
            ttyv4   Feb  3 16:32
genisis     ttyv4   Feb  3 16:32
            ttyv4   Feb  3 16:32
genisis     ttyv4   Feb  3 16:32
            ttyp0   Feb  3 16:45
            ttyp1   Feb  3 16:45
test1       ttyp0   Feb  3 16:50   (biko)
test2       ttyp1   Feb  3 16:51   (biko)
            ttyv4   Feb  3 16:51
test3       ttyv4   Feb  3 16:51
            ttyv4   Feb  3 17:36
shutdown    ~       Feb  3 20:39
            ttyv3   Feb  3 20:39
            ttyv1   Feb  3 20:39
            ttyv0   Feb  3 20:39
            ttyv2   Feb  3 20:39
reboot      ~       Feb  3 20:40
genisis     ttyv0   Feb  3 20:40
genisis     ttyv1   Feb  3 20:40
genisis     ttyv2   Feb  3 20:40
genisis     ttyv3   Feb  3 20:43
genisis     ttyv4   Feb  4 08:25

Notice that this output also contains the times of reboots and shutdowns. On your system, the output may have been much longer, depending on how often users log in and out of your FreeBSD system. If your output is too long, you can view just the last 10 entries with the following command:

who /var/log/wtmp | tail

The file /var/log/wtmp makes a record for every login, logout, date change, shutdown, and reboot. You can also access the information in the /var/log/wtmp file by using the last and ac commands. Let's compare the above output to the output of the last command:

last
genisis ttyv4 Sun Feb 4 08:25 still logged in
genisis ttyv3 Sat Feb 3 20:43 still logged in
genisis ttyv2 Sat Feb 3 20:40 still logged in
genisis ttyv1 Sat Feb 3 20:40 still logged in
genisis ttyv0 Sat Feb 3 20:40 still logged in
reboot ~ Sat Feb 3 20:40
shutdown ~ Sat Feb 3 20:39
test3 ttyv4 Sat Feb 3 16:51 - 17:36 (00:44)
test2 ttyp1 biko Sat Feb 3 16:51 - shutdown (03:48)
test1 ttyp0 biko Sat Feb 3 16:50 - shutdown (03:48)
genisis ttyv4 Sat Feb 3 16:32 - 16:51 (00:18)
genisis ttyv4 Sat Feb 3 16:32 - 16:32 (00:00)
genisis ttyp0 biko Sat Feb 3 16:23 - 16:45 (00:21)
genisis ttyp0 biko Sat Feb 3 16:23 - 16:23 (00:00)
genisis ttyp0 biko Sat Feb 3 16:00 - 16:23 (00:22)
genisis ttyp0 biko Sat Feb 3 15:56 - 16:00 (00:03)
genisis ttyv4 Sat Feb 3 15:04 - 16:32 (01:27)
genisis ttyp1 biko Sat Feb 3 15:04 - 16:45 (01:41)
genisis ttyv3 Sat Feb 3 13:46 - shutdown (06:52)
genisis ttyp0 biko Sat Feb 3 13:34 - 15:31 (01:57)
genisis ttyv2 Sat Feb 3 13:32 - shutdown (07:06)
genisis ttyv1 Sat Feb 3 13:32 - shutdown (07:06)
genisis ttyv0 Sat Feb 3 13:31 - shutdown (07:07)
reboot ~ Sat Feb 3 13:31
shutdown ~ Sat Feb 3 13:30
genisis ttyv0 Sat Feb 3 13:25 - shutdown (00:04)
reboot ~ Sat Feb 3 13:25
wtmp begins Sat Feb 3 13:25:04 2001

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

You'll notice that the entries are in reverse order, so you see the most recent events first. This means that if you want to limit the output to 10 lines, you should pipe it to the head command as you wish to see the head-end of the file rather than the tail-end. That is, to only see the 10 most recent entries, type:

last | head

The last three columns are interesting as they show what time the user logged in, what time they logged out, and the duration of the login session. It also makes note if the user was forcibly logged out due to a shutdown or reboot.

The last command also supports several switches; a useful switch is the word reboot:

last reboot
reboot       ~          Sat Feb  3 20:40 
reboot       ~          Sat Feb  3 13:31 
reboot       ~          Sat Feb  3 13:25 
wtmp begins Sat Feb  3 13:25:04 2001

This will give a nice summary of the times and dates your FreeBSD system rebooted.

The ac utility adds up the connection times that are recorded in /var/log/wtmp and can be used to get a rough idea of which users are using the most connection time. If you run ac without any switches, you'll be given a number that represents a total of all connection times contained within /var/log/wtmp:

ac
	total	165.04

To see the total number of connection hours on a daily basis:

ac -d
Feb  3  total      124.42
Feb  4  total       41.52

And to see the total hours for each user for the entire period of the /var/log/wtmp file:

ac -p
	test1           4.12
	test2           4.11
	test3           0.75
	genisis       156.06
	total         165.04

To summarize: The utilities w, who, and users display information contained in the file /var/run/utmp; the utilities last and ac display the information contained in /var/log/wtmp.

The last thing I'd like to mention in today's article is locking unused terminals. Normally when a user finishes using a terminal, he or she will logout using either the exit or logout command. But sometimes a user needs to leave a terminal for a few minutes before finishing a session. It is good practice to lock your terminal if you need to be away from it, and your FreeBSD system comes with the lock utility for this purpose. If you just type lock, you'll be prompted for a "Key" or password to unlock the terminal:

lock
Key:
Again:
lock: /dev/ttyp0 biko timeout in 15 minutes
time now is Sun Feb  4 11:48:34 EST 2001
Key:

The terminal will now be locked for either 15 minutes or until the user returns and enters the key. If you don't want to be prompted to create a key when you invoke the lock utility, use lock -p; your key will be your login password. If you want to lock a terminal for more than 15 minutes, use lock -n. The only way to bypass a locked terminal is to know the key, wait for the timeout period, or to have the superuser send a kill signal to the PID of the lock process from a different terminal.

There is also a utility called vlock that you can build using the ports collection. As the superuser and while connected to the Internet:

cd /usr/ports/security/vlock
make install clean

Once the port has been installed, you can leave the superuser account. To use vlock:

vlock
This TTY is now locked.
Please enter the password to unlock.
genisis's Password:

You'll note that this utility only uses the user's password as the key and that the terminal will be locked until a password is entered. However, the superuser can unlock this terminal directly by entering root and then the password for the root account:

genisis's Password: (type in the word "root")
root's Password:

The vlock utility can also lock all the virtual terminals on a FreeBSD system without affecting network logins. If I type vlock -a, my screen will look like this:

The entire console display is now completely locked.
You will not be able to switch to another virtual console.
Please enter the password to unlock.
genisis's password

At this point, my ALT Function keys no longer work and the machine is unavailable for users who physically walk up to my FreeBSD machine unless they happen to know the password for the user "genisis" or the root account. This feature is handy if your FreeBSD box is acting as a server as it will still accept network logins.

In next week's article, I'd like to shift gears a bit and talk about inodes.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Discuss this article in the Operating Systems Forum.

Return to the BSD DevCenter.





Sponsored by: